In this recipe, you will see how to set up secure public key authentication.
Follow these steps to set up public key authentication:
$sudo adduser john
john
and change to the home
directory with cd ~/
:.ssh
directory if it doesn't already exist:$ mkdir .ssh
authorized_keys
under the .ssh
directory:$ touch .ssh/authorized_keys
.ssh
directory to 700
:$chmod 700 .ssh
authorized_keys
to 600
:$ chmod 600 .ssh/authorized_keys
$ ssh-keygen
.ssh/id_rsa.pub
file to the authorized_keys
file on the server.ssh
connection from local to server with the following command:$ ssh john@server
yes
and press the Enter key to continue:Logging in with SSH supports different authentication methods. Public key authentication and password-based authentication are two common methods. To log in with public key authentication, we need a public private key pair. We generate this key pair with the ssh-keygen
command. This command creates two files under the .ssh
directory in the user's home:
id_rsa
: This is the private key fileid_rsa.pub
: This is the public key fileYou can view the contents of the files with $cat id_rsa.pub
. It should start with something like ssh-rsa AAAA...
(except for the trailing dots).
We then copy the contents of public key to the server's authorized_keys
file. Ensure that all contents are listed on single line in the authorized_keys
file.
Also, ensure the permissions are properly set for the .ssh
directory, and ensure that the authorized_keys
file and directory are owned by the user. The permissions for the .ssh
directory limits read, write, and execute permissions to the owner of the file. Similarly, for authorized_keys
file, permissions are limited to read and write for owner only. This ensures that no other user can modify the data in the .ssh
directory. If these permissions are not properly set, the SSH daemon will raise the warning Permission denied
?.
When the SSH client initiates a connection with the server, the server sends public key identification of server to client. If a client is connecting to the server for the first time, it shows a warning and asks for user confirmation to store the server key in the known_hosts
file under the .shh
directory. After receiving the identity, the client authenticates server to ensure that it is really the intended server.
After server authentication, the server sends a list of possible authentication methods. The client selects the authentication method and selection to the server. After receiving the authentication method, the server sends a challenge string encrypted with client's private key. The client has to decrypt this string and send it back to server along with previously shared session key. If the response from the client matches the response generated by the server, then client authentication succeeds.
You might be searching for a secure option to install key on server. Here's one way!
If your local system has the ssh-copy-id
tool installed, you can directly add your public key to the server's authorized_keys
file with a single command:
$ ssh-copy-id john@serverdomain
After providing the password, your local public key will be added to the authorized_keys
file under the .ssh
directory of the user john
.
Most of the connection issues are related with configuration problems. If you happen to face any such issue, read the error message in detail. It is descriptive enough to understand the mistake. You can also go through following checklist:
authorized_keys
file for your public key on the serverknown_hosts
on the local systemAdditionally, you can use the verbose flag (-v
or -vvv
) with the ssh
command to get details of every step taken by the SSH client. Also, check SSH daemon logs on server.
If your local system runs Windows, then you can use tools provided by puTTYto generate new keys and connect to the server:
putty.exe
: This is the SSH client on Windowsputtygen.exe
: This tool generates public or private keyspscp.exe
: This is the SCP client for secure file transferWhen using public key generated by the puttygen.exe
tool, make sure that you convert the key to OpenSSH key format. Remove all comments and prepend ssh-rsa
. Additionally, the entire key should be listed on a single line.
Another easy option is to use puttygen.exe
. Load your private key in PuTTYgen and then copy the public key from the Key section of the PuTTYgen window.